Emerging Threathightest
Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Mon Jun 12Updated Fri Feb 03aeab5ec5-be14-471a-80e8-e344418305c22017
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic24 selectors
detection:
selection_cammute:
Image|endswith: '\CamMute.exe'
filter_cammute:
Image|contains:
- '\Lenovo\Communication Utility\'
- '\Lenovo\Communications Utility\'
selection_chrome_frame:
Image|endswith: '\chrome_frame_helper.exe'
filter_chrome_frame:
Image|contains: '\Google\Chrome\application\'
selection_devemu:
Image|endswith: '\dvcemumanager.exe'
filter_devemu:
Image|contains: '\Microsoft Device Emulator\'
selection_gadget:
Image|endswith: '\Gadget.exe'
filter_gadget:
Image|contains: '\Windows Media Player\'
selection_hcc:
Image|endswith: '\hcc.exe'
filter_hcc:
Image|contains: '\HTML Help Workshop\'
selection_hkcmd:
Image|endswith: '\hkcmd.exe'
filter_hkcmd:
Image|contains:
- '\System32\'
- '\SysNative\'
- '\SysWow64\'
selection_mc:
Image|endswith: '\Mc.exe'
filter_mc:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
selection_msmpeng:
Image|endswith: '\MsMpEng.exe'
filter_msmpeng:
Image|contains:
- '\Microsoft Security Client\'
- '\Windows Defender\'
- '\AntiMalware\'
selection_msseces:
Image|endswith: '\msseces.exe'
filter_msseces:
Image|contains:
- '\Microsoft Security Center\'
- '\Microsoft Security Client\'
- '\Microsoft Security Essentials\'
selection_oinfo:
Image|endswith: '\OInfoP11.exe'
filter_oinfo:
Image|contains: '\Common Files\Microsoft Shared\'
selection_oleview:
Image|endswith: '\OleView.exe'
filter_oleview:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
- '\Windows Resource Kit\'
selection_rc:
Image|endswith: '\rc.exe'
filter_rc:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
- '\Windows Resource Kit\'
- '\Microsoft.NET\'
condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
Software
Other
detection.emerging-threats
Rule Metadata
Rule ID
aeab5ec5-be14-471a-80e8-e344418305c2
Status
test
Level
high
Type
Emerging Threat
Created
Mon Jun 12
Modified
Fri Feb 03
Path
rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.s0013attack.defense-evasionattack.t1574.001detection.emerging-threats